Chinese Cyber Espionage: US Must Shout but Also Listen

By Jason Healey

After years of silence, the United States has finally had enough of Chinese cyber-theft of trade secrets. American officials have repeatedly raised the issue with their Chinese counterparts in language that is increasingly frank.

When pressed in public or in private, Chinese officials usually respond in one of several ways. They argue that the cyberattacks are too hard to trace to know with any certainty who perpetrated them. They argue that the Chinese government can't be blamed because hacking is illegal in China. They claim that accusations of Chinese cyberattacks are just inventions intended to denigrate China. They out and out deny responsibility, pointing to the lack of solid proof. Finally, they make counteraccusations: As one Chinese spokesman explained to the Financial Times: "[A]s a late starter, China's internet is highly vulnerable and among the most victimised by cyber attacks. The latest figures show that in the past two months, 6,747 overseas servers were found to have controlled more than 1.9m mainframes in China with Trojans or botnets."

The first four of these defenses are relatively easy to dismiss. There is a decade-long history of Chinese cyber-meddling with many nations, not just the United States, which has been exceptionally well documented only to be offhandedly dismissed by Chinese officials. All modern militaries, including both the People's Liberation Army and U.S. forces, are seeking offensive and intelligence advantages through cyber-capabilities. In the face of the Department of Defense's relativetransparency, Chinese denials make the PLA appear that much more culpable.

China's counteraccusations, however, demand a more detailed response. Typically these claims are a non sequitur to deflect criticism: "We couldn't be hacking you; we're getting hacked ourselves," as if cyberspace forced them to choose one or the other. For a decade, these pleas have been dismissed as the thin defense of the guilty. But there is a nugget of truth in Chinese counteraccusations. China not only has a cyber problem, it has a valid U.S. cyber problem -- and it's one that Secretary of State John Kerry appears to have agreed to address.

The Chinese press has reported that the websites of 85 public institutions and companies were "hacked" between September 2012 and March 2013, with 39 of those attacks traced back to the United States. During a similar period, Chinese authorities noted that there had been some 5,800 hacking attempts from U.S. IP addresses and that U.S.-based servers had hosted 73 percent of the phishing attacks against Chinese customers. Of the 6,747 computers controlling nearly 2 million botnets in China -- the ones the Chinese spokesman told FT about -- 2,194 were in the United States, "making it the largest point of origin of cyber attacks against China," according to Xinhua.

Perhaps oddly for Chinese statistics, these actually stand up to scrutiny: American cyberspace is one of the least secure online realms. The United States does indeed top the list of botnet controllers with 40 percent of the total tracked by cybersecurity giant McAfee; Russia accounted for 8 percent and China 3 percent. Other measurements show these nations grouped closer together, but the United States is clearly a leading source of attacks. For example, Akamai, one of the world's largest content-delivery networks, has observed that 13 percent of global attack traffic originated from the United States, though 33 percent came from China. Russia has the most malicious severs, with the United States ranking sixth; China doesn't make the top 10, according to HostExploit's latest quarterly report. After years of stories about U.S. military and intelligence cyber-capabilities, international audiences might see these statistics and agree with China that it is the Americans who are the troublemakers -- after all, they were the ones behind Stuxnet.

But China's claims of victimhood sometimes get a better hearing than they should. Western newspapers can appear balanced by reporting that each side is "trading barbs" or "exchanging allegations," while the Chinese nationalist press can assert that "the US' exaggerations of the threat posed by Chinese hackers are aimed at creating an environment to accelerate its capability to carry out a cyber war." Such messages are part of a campaign aimed squarely at the non-aligned countries, which have long worried about U.S. hegemony, including in cyberspace. It is a message that is winning adherents.

Yet U.S. cyber-operations are extremely different from their Chinese equivalents and cannot be compared in the way the Chinese suggest. When the U.S. military or intelligence community conducts cyber-operations, they are quiet, coordinated, exceptionally well targeted, and under the strict control of senior officers and government executives. Lawyers review every stage. Even Stuxnet, though it was a breathtakingly sophisticated and brazen attack, was so tightly controlled that, when it escaped its target network, it caused no disruption. The White House keeps a close hold on cyber-operations through senior executives, generals, and political appointees throughout the bureaucracy.

Chinese espionage, by comparison, is under no such control. As in other areas of Chinese society, the People's Liberation Army and state-owned enterprises are subject to little oversight and feel little need to coordinate their actions. Recently, one colleague that works for a specialized incident-response firm reported finding as many as seven different Chinese espionage groups operating in the same network, all sending information back to different masters. Few, if any, senior party officials care to rein in activities helping domestic companies (and probably lining their own pockets) by stealing foreign intellectual property.

Yes, the United States may be addicted to using cyber-operations as a cheap and easy way to disrupt adversaries and gain intelligence, but this has absolutely nothing to do with the nation being a home for phishing sites, malicious software, and botnet controllers. These are purely criminal matters, as juveniles, organized-crime groups, and others use U.S. servers to host their felonious attempts to disrupt, blackmail, defraud, spam, and annoy the rest of us. The United States has so many computers and so much of the Internet's underlying infrastructure -- with perhaps 500 million hosts compared to 20 million for China -- it is not surprising that so many criminal attacks originate or pass through here.

Still, the United States can and should clean up its own act -- not because of any Chinese finger-pointing, but because it serves our commercial and societal interests, and because it's the right thing to do. If an attack is coming from here, there is a good chance it's because an American citizen is a criminal or because a citizen's computer or network has been taken over by foreigncriminals. Either way, the U.S. government has the obligation to stop it. Yet while in Beijing, I have heard Chinese cyber-crime officials say they have asked the United States for help that never comes.

That's why it's good that Secretary Kerry just announced a joint U.S.-China working group to tackle cyber issues. In this group, American officials should shout loudly, but they should listen, too -- ask for details and hunt down the perpetrators using the resources of the Department of Homeland Security, the Department of Justice, and the FBI. Not only will cleaning up our own Internet improve cyberspace for us, it will provide a chance to shift the U.S.-China dynamic. At present, the conversation is mostly one-sided, with senior American officials berating their counterparts. Taking action on valid Chinese criticisms may help develop this into an actual conversation.

Moreover, many leaders around the world are confused about U.S. intentions in cyberspace, and concerned that, in light of Stuxnet and Cyber Command, the United States is preaching "do as I say, not as I do." If the United States were to publicly respond to Chinese counteraccusations, it could regain the high ground and demonstrate the difference between the two countries' approaches to cyberspace. The United States is committed to an open and global Internet, while China pushes a darker vision with strong national borders cutting out any objectionable material.

U.S. officials must continue their campaign to convince the Chinese leadership to reduce cyber-espionage. It may seem like tilting at windmills, but it is the right policy and long overdue. But China has some legitimate concerns also, which are in America's own interests to resolve (and be seen resolving) and the new joint working group provides the perfect opportunity. In any relationship, there is room even in the most heated argument for both shouting and listening.

Jason Healey is director of the Cyber Statecraft Initiative. You can follow his comments on cyber cooperation, conflict, and competition on Twitter, @Jason_Healey. This piece first appeared on Foreign Policy.